StreamClosedError not raised when connecting to a TLS server when using incorrect certificates

[mariusvniekerk]

Under some conditions (Python built against openssl 1.1+). Tornado does not raise a StreamClosedError when encountering UNKNOWN_CA errors.

See dask/distributed#2331 for a manifestation of this issue (and a mitigation)

When using correct certificates the behavior is as expected.

[bdarnell]

Note that openssl's version numbering is (was) weird - 1.1.1 is very different from 1.1.0 (it introduced support for TLS 1.3, among other things). This appears to be about 1.1.1.

We found in #2536 that TLS 1.3 changes the timing and sequence of some messages that can lead to hangs in Tornado 4.5. Maybe there's a similar issue here that's causing the unknown CA message to appear in a different order relative to other error/shutdown messages. Setting ssl_ctx.min_version = ssl.TLSVersion.TLSv1_2 (or its pre-py37 equivalents) appears to avoid #2536 and may also help here.

[ploxiln]

Setting ssl_ctx.min_version = ssl.TLSVersion.TLSv1_2

typo - you mean ssl_ctx.max_version (you wrote "max" in #2536)